close Warning: Error with navigation contributor "BittenChrome"
Posts for the month of December 2014

SandboxOS

Several months ago I got a notion for a potentially enormous programming project I wanted to undertake. I've spent bits of time on and off implementing it, and it has come quite far. The last thing I want to do is stop all of the exciting work to document it, but after some reflection, that is the thing that it most obviously needs right now.

What follows might be crazy-town, but it still seems pretty neat to me.

What Is SandboxOS?

I struggle to find a comparison that does it justice, but I keep trying:

SandboxOS is...

Nuts and Bolts

  • It runs applications on Google's V8 JavaScript engine.
  • It uses libuv, from node.js, to interact with the OS when possible.
  • Each application runs as a separate process, as a first step toward implementing Google Chrome's Sandbox architecture.
  • Applications can interact with other applications by calling exported functions, provided that they have requested and been granted permission to do so.

The Last Thing I Wanted

I tried everything I could think of to meet the goals if this project without resorting to using JavaScript.

I ended up settling on JavaScript for a few key reasons:

  • Web browsers are by far the most widespread use of a sandboxed runtime that I could find. Plainly, I want to force an opt-in decision whether an application can invoke any individual thing outside of the application.
    • I looked at a few attempts at sandboxes for languages like Perl, Python, and Ruby, but it was clear that sandboxed execution was so far from the goal of those runtimes that it was a lost cause. I even passed up on node.js for the same reason - it was easier to start from scratch than to audit and secure everything there. The few approaches that looked sound were not portable or incomplete.
    • I know that Java and .NET make security claims, but I ruled them out early, because the security models seemed far from anything I could leverage for my specific needs, and the licensing and portability concerns are still pretty huge.
    • Web browsers run untrusted code all of the time. They crash tabs and eat memory, but at the end of the day, they are the one example of sandboxing I could find that are essentially globally relied upon.
  • Even if JavaScript isn't perfect, it has features that give it huge potential for my needs.

Circles and Arrows

Below is the bigger picture that I see this all fitting into. The interesting thing to me is not what I specifically imagine this thing doing but what little effort in implementing a few small parts it has taken to enable these sorts of things.

GraphViz image

Resources

I intend to follow this up with related posts on more focused topics. If nothing else, this project has forced me to learn at least a little bit more about a lot of things I wouldn't have otherwise interacted much with:

  • V8
  • libuv
  • TLS
  • JavaScript
  • C++11

For now, some SandboxOS links: